6. Скрипты по всем пунктам

Модуль 3. Эксплуатация объектов сетевой инфраструктуры

BR-SRV

mount /dev/sr0 /mnt

printf '%s\n' \
'#!/bin/bash' \
'' \
'csv_file="$1"' \
'' \
'# Create OU' \
'awk -F '"'"';'"'"' '"'"'NR>1 {print $5}'"'"' "$csv_file" | sort | uniq | while read ou;' \
'do' \
$'\tsamba-tool ou add OU="$ou",DC=au-team,DC=irpo;' \
'done' \
'' \
'# Create Users' \
'while IFS=";" read -r firstName lastName role phone ou street zip city country password;' \
'do' \
$'\tif [ "$firstName" == "First Name" ];' \
$'\tthen' \
$'\t\tcontinue' \
$'\tfi' \
'' \
$'\tusername="${firstName,,}.${lastName,,}"' \
'' \
$'\tsamba-tool user add "$username" P@ssw0rd1 \\' \
$'\t\t--given-name="$firstName" \\' \
$'\t\t--surname="$lastName" \\' \
$'\t\t--telephone-number="$phone" \\' \
$'\t\t--job-title="$role" \\' \
$'\t\t--userou="OU=$ou"' \
$'\tsamba-tool user setexpiry "$username" --noexpiry' \
'done < "$csv_file"' \
> import_user.sh

chmod +x import_user.sh

./import_user.sh /mnt/Users.csv

HQ-SRV

apt-get update && apt-get install -y openssl-gost-engine

control openssl-gost enabled

openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:TCB -out ca.key

openssl req -new -x509 -md_gost12_256 -days 30 -key ca.key -out ca.cer

openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out web.au-team.irpo.key

openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out docker.au-team.irpo.key

openssl req -new  -md_gost12_256 -key web.au-team.irpo.key -out web.au-team.irpo.csr

openssl req -new  -md_gost12_256 -key docker.au-team.irpo.key -out docker.au-team.irpo.csr

openssl x509 -req -in web.au-team.irpo.csr -CA ca.cer -CAkey ca.key -CAcreateserial -out web.au-team.irpo.cer -days 30

openssl x509 -req -in docker.au-team.irpo.csr -CA ca.cer -CAkey ca.key -CAcreateserial -out docker.au-team.irpo.cer -days 30

ISP

sed -i 's/#PermitRootLogin without-password/PermitRootLogin yes/g' /etc/openssh/sshd_config

systemctl restart sshd

HQ-SRV

scp web.au-team.irpo.key root@172.16.1.1:~/

scp web.au-team.irpo.cer root@172.16.1.1:~/

scp docker.au-team.irpo.key root@172.16.1.1:~/

scp docker.au-team.irpo.cer root@172.16.1.1:~/

ISP

mkdir /etc/nginx/ssl

cp web.au-team.irpo.* /etc/nginx/ssl

cp docker.au-team.irpo.* /etc/nginx/ssl

printf '%s\n' \
'server {' \
$'\tlisten 443 ssl;' \
$'\tserver_name web.au-team.irpo;' \
$'\tssl_certificate /etc/nginx/ssl/web.au-team.irpo.cer;' \
$'\tssl_certificate_key /etc/nginx/ssl/web.au-team.irpo.key;' \
$'\tssl_ciphers GOST2012-GOST8912-GOST8912-HIGH:MEDIUM;' \
$'\tssl_protocols TLSv1 TLSv1.1 TLSv1.2;' \
$'\tssl_prefer_server_ciphers on;' \
'' \
$'\tlocation / {' \
$'\t\tproxy_pass http://172.16.1.2:8080;' \
$'\t\tproxy_set_header Host $host;' \
$'\t\tproxy_set_header X-Real-IP $remote_addr;' \
$'\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
$'\t\tproxy_set_header X-Forwarded-Proto $scheme;' \
$'\t\tauth_basic "Restricted area";' \
$'\t\tauth_basic_user_file /etc/nginx/.htpasswd;' \
$'\t}' \
'}' \
'' \
'server {' \
$'\tlisten 443 ssl;' \
$'\tserver_name docker.au-team.irpo;' \
$'\tssl_certificate /etc/nginx/ssl/docker.au-team.irpo.cer;' \
$'\tssl_certificate_key /etc/nginx/ssl/docker.au-team.irpo.key;' \
$'\tssl_ciphers GOST2012-GOST8912-GOST8912-HIGH:MEDIUM;' \
$'\tssl_protocols TLSv1 TLSv1.1 TLSv1.2;' \
$'\tssl_prefer_server_ciphers on;' \
'' \
$'\tlocation / {' \
$'\t\tproxy_pass http://172.16.2.2:8080;' \
$'\t\tproxy_set_header Host $host;' \
$'\t\tproxy_set_header X-Real-IP $remote_addr;' \
$'\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
$'\t\tproxy_set_header X-Forwarded-Proto $scheme;' \
$'\t}' \
'}' \
> /etc/nginx/sites-available.d/default.conf

apt-get install -y openssl-gost-engine

control openssl-gost enabled

nginx -t

systemctl restart nginx

HQ-SRV

scp ca.cer user@192.168.200.2:~/

HQ-CLI

cp /home/user/ca.cer /etc/pki/ca-trust/source/anchors/ && update-ca-trust

Дальше по методичке Задания 3.2

cd /home/user/Загрузки/linux-amd64

apt-get install -y cryptopro-preinstall

./install_gui.sh

Дальше по методичке Задания 3.2

BR-SRV

docker exec -it testapp ash

Дальше по методичке Задания 3.2

HQ-RTR

en
conf t
crypto-ipsec ike enable

crypto-ipsec profile IPSEC ike-v2
mode tunnel
ike-phase1
proposal aes256-sha256-modp2048
auth pre-shared-key P@ssw0rd
ike-phase2
protocol esp
proposal aes256-sha256
local-ts 172.16.1.2
remote-ts 172.16.2.2

crypto-map CMAP 10
match peer 172.16.2.2
set crypto-ipsec profile IPSEC

filter-map ipv4 FMAP 10
match gre host 172.16.1.2 host 172.16.2.2
set crypto-map CMAP peer 172.16.2.2

filter-map ipv4 FMAP 20
match udp host 172.16.2.2 eq 4500 host 172.16.1.2 eq 4500
set crypto-map CMAP peer 172.16.2.2

exit

interface tunnel.0
ip mtu 1360
set filter-map in FMAP 10

interface isp
set filter-map in FMAP 20

end

write memory

conf t

filter-map ipv4 FMAP 21
match tcp any any eq 88
match udp any any eq 88
match udp any any eq dns
match tcp any any range 3268 3269
match tcp any any eq dns
match tcp any any eq 389
match udp any any eq 464
match tcp any any eq 636
match tcp any any eq 445
match udp any any range 137 138
set accept

filter-map ipv4 FMAP 22
match icmp any any
match ospf any any
match tcp any any eq 8080
match tcp any any eq http
match tcp any any eq https
match udp any any eq 123
match tcp any any eq 2026
match tcp any any eq 514
match udp any any eq 514
match tcp any any range 32768 60999
match udp any any range 32768 60999
match udp any any eq 500
set accept

end

write memory

BR-RTR

en
conf t

crypto-ipsec ike enable

crypto-ipsec profile IPSEC ike-v2
mode tunnel
ike-phase1
proposal aes256-sha256-modp2048
auth pre-shared-key P@ssw0rd
ike-phase2
protocol esp
proposal aes256-sha256
local-ts 172.16.2.2
remote-ts 172.16.1.2

crypto-map CMAP 10
match peer 172.16.1.2
set crypto-ipsec profile IPSEC

filter-map ipv4 FMAP 10
match gre host 172.16.2.2 host 172.16.1.2
set crypto-map CMAP peer 172.16.1.2

filter-map ipv4 FMAP 20
match udp host 172.16.1.2 eq 4500 host 172.16.2.2 eq 4500
set crypto-map CMAP peer 172.16.1.2

exit

interface tunnel.0
ip mtu 1360
set filter-map in FMAP 10

interface isp
set filter-map in FMAP 20

end

write memory

conf t

filter-map ipv4 FMAP 21
match tcp any any eq 88
match udp any any eq 88
match udp any any eq dns
match tcp any any range 3268 3269
match tcp any any eq dns
match tcp any any eq 389
match udp any any eq 464
match tcp any any eq 636
match tcp any any eq 445
match udp any any range 137 138
set accept

filter-map ipv4 FMAP 22
match icmp any any
match ospf any any
match tcp any any eq 8080
match tcp any any eq http
match tcp any any eq https
match udp any any eq 123
match tcp any any eq 2026
match tcp any any eq 514
match udp any any eq 514
match tcp any any range 32768 60999
match udp any any range 32768 60999
match udp any any eq 500
set accept

end

write memory

HQ-SRV

apt-get update && apt-get install -y cups cups-pdf

systemctl enable --now cups

cupsctl --share-printers --remote-any

HQ-CLI

echo "192.168.100.2	hq-srv.au-team.irpo	hq-srv" >> /etc/hosts

Дальше по методичке Задания 3.5

HQ-RTR

rsyslog host 192.168.100.2

BR-RTR

rsyslog host 192.168.100.2

HQ-SRV

apt-get install rsyslog

cat > /etc/rsyslog.conf <<EOF
$ModLoad imuxsock
$ModLoad imjournal
*.warn @192.168.100.2:514
EOF

HQ-SRV ПРИ КОПИРОВАНИИ rsyslog.conf ЛОМАЕТСЯ
apt-get update && apt-get install -y rsyslog

touch /etc/rsyslog.d/rsyslog.conf

cat > "/etc/rsyslog.d/rsyslog.conf" <<EOF
module(load="imudp")
$ModLoad imuxsock
authpriv.* /var/log/auth.log
input(type="imudp" port="514")
if $fromhost-ip contains '192.168.100.1' then {
*.warn /opt/hq-rtr/router.log
}
if $fromhost-ip contains '10.10.10.2' then {
*.warn /opt/br-rtr/router.log
}
if $fromhost-ip contains '192.168.0.2' then {
*.warn /opt/br-srv/server.log
}
EOF

sed -i 's/#module(load="imudp")/module(load="imudp")/g' /etc/rsyslog.d/00_common.conf
sed -i 's/#input(type="imudp" port="514")/input(type="imudp" port="514")/g' /etc/rsyslog.d/00_common.conf
sed -i 's/#module(load="imtcp")/module(load="imtcp")/g' /etc/rsyslog.d/00_common.conf
sed -i 's/#input(type="imtcp" port="514")/input(type="imtcp" port="514")/g' /etc/rsyslog.d/00_common.conf

systemctl enable --now rsyslog

apt-get install -y logrotate

cat > "/etc/logrotate.conf" <<EOF
/opt/br-rtr/*.log
/opt/hq-rtr/*.log
/opt/br-srv/*.log
{
weekly
compress
minsize 10M
}
EOF

systemctl enable -now logrotate
logrotate -d /etc/logrotate.conf

BR-SRV

apt-get update && apt-get install -y rsyslog

BR-SRV

cat /etc/ansible/get_hostname_address.yml
- name: Get_hostname
  hosts: hq-srv,hq-cli
  tasks:
     - name: Save hostname ip
       copy:
           dest: /etc/ansible/PC-INFO/{{ ansible_hostname }}.yml
           content: |
              Hostname: {{ ansible_hostname }}
              IP_Address: {{ ansible_default_ipv4.address }}
       delegate_to: localhost

ansible-playbook get_hostname_address.yml

HQ-SRV

apt-get install -y fail2ban iptables

sed -i 's/#SyslogFacility AUTHPRIV/SyslogFacility AUTHPRIV/g' /etc/openssh/sshd_config
sed -i 's/#LogLevel INFO/LogLevel INFO/g' /etc/openssh/sshd_config

sed -i '285c port = 2026' /etc/fail2ban/jail.conf
sed -i 's|logpath = %(sshd_log)s|logpath = /var/log/auth.log|g' /etc/fail2ban/jail.conf
sed -i '288c\
maxretry = 3\
bantime = 1m\
enabled = yes' /etc/fail2ban/jail.conf
echo 'authpriv.* /var/log/auth.log' >> /etc/rsyslog.d/00_common.conf
systemctl enable --now fail2ban